linuxea:openssl和openssh[CVE-2021-3711]修复 修复了 SM2 解密缓冲区溢出。[CVE-2021-3711]）Changes between 1.1.1k and 1.1.1l [24 Aug 2021] Fixed an SM2 Decryption Buffer Overflow. In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the "out" parameter can be NULL and, on exit, the "outlen" parameter is populated with the buffer size required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the "out" parameter. A bug in the implementation of the SM2 decryption code means that the calculation of the buffer size required to hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the application a second time with a buffer that is too small. A malicious attacker who is able present SM2 content for decryption to an application could cause attacker chosen data to overflow the buffer by up to a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing application behaviour or causing the application to crash. The location of the buffer is application dependent but is typically heap allocated. ([CVE-2021-3711]) Matt Caswell1.1.1m 避免两次加载动态引擎。Changes between 1.1.1l and 1.1.1m [xx XXX xxxx] Avoid loading of a dynamic engine twice. Bernd Edlinger Prioritise DANE TLSA issuer certs over peer certs Viktor Dukhovni Fixed random API for MacOS prior to 10.12 These MacOS versions don't support the CommonCrypto APIs Lenny Primakopenssl小版本，比如修复什么小bug，单并不影响稳定性是按照字母顺序进行排版本比如： 1.1.1l到1.1.1m，我门可以查看他的历史版本，最新的版本已经升级到3.0.1依赖包，也可以用做离线使用yum install -y gcc gcc-c++ autoconf automake zlib zlib-devel pcre-devel pam-devel openssl openssl-devel openssl-libs lrzszhttps://www.openssl.org/source/snapshot/opensslrpmrpm包下载： https://github.com/philyuchkoff/openssl-RPM-Builder/releasesrpm -e --justdb --nodeps openssl-libs rpm -e --justdb --nodeps openssl-1:1.0.2k rpm -ivvh openssl-1.1.1m-1.el7.x86_64.rpm --nodeps openssl version推荐编译安装openssl-1.1.1lhttps://www.openssl.org/source/openssl-1.1.1l.tar.gz https://www.openssl.org/source/snapshot/openssl-1.1.1-stable-SNAP-20220120.tar.gz mv /usr/bin/openssl{,.bak} mv /usr/include/openssl{,.bak} cd /usr/local/openssl-1.1.1m/ ./config shared && make && make installopenssl-1.1.1mhttps://www.openssl.org/source/openssl-1.1.1m.tar.gzwget --no-check-certificate https://www.openssl.org/source/openssl-1.1.1m.tar.gz tar xf openssl-1.1.1m.tar.gz -C /usr/local/ mv /usr/bin/openssl{,.bak} mv /usr/include/openssl{,.bak} cd /usr/local/openssl-1.1.1m ./config shared && make && make install链接ll /usr/local/bin/openssl ll -d /usr/local/include/openssl/ ln -s /usr/local/bin/openssl /usr/bin/openssl ln -s /usr/local/include/openssl/ /usr/include/openssl ll /usr/bin/openssl ll -d /usr/include/openssl echo "/usr/local/lib64" >> /etc/ld.so.conf /sbin/ldconfig openssl version openssl version -aopenssh安装依赖包yum install -y gcc gcc-c++ autoconf automake zlib zlib-devel pcre-devel pam-devel openssl openssl-devel openssl-libs配置必要的编译选项mv /etc/ssh{,.bak} mkdir /usr/local/openssh curl -Lk https://openbsd.hk/pub/OpenBSD/OpenSSH/portable/openssh-8.7p1.tar.gz |tar xz -C ./ cd openssh-8.7p1/ ./configure --prefix=/usr/local/openssh \ --sysconfdir=/etc/ssh \ --with-openssl-includes=/usr/local/include \ --with-ssl-dir=/usr/local/lib64 \ --with-zlib \ --with-md5-passwords \ --with-pam && \ make && \ make install简单的配置下sshdecho "UseDNS no" >> /etc/ssh/sshd_config echo "Port 6789" >> /etc/ssh/sshd_config echo 'PermitRootLogin yes' >> /etc/ssh/sshd_config echo 'PubkeyAuthentication yes' >> /etc/ssh/sshd_config echo 'PasswordAuthentication yes' >> /etc/ssh/sshd_config mv /usr/sbin/sshd{,.bak} mv /usr/bin/ssh{,.bak} mv /usr/bin/ssh-keygen{,.bak} ln -s /usr/local/openssh/bin/ssh /usr/bin/ssh ln -s /usr/local/openssh/bin/ssh-keygen /usr/bin/ssh-keygen ln -s /usr/local/openssh/sbin/sshd /usr/sbin/sshd ssh -V配置开机启动systemctl disable sshd --now mv /usr/lib/systemd/system/sshd.service{,.bak} systemctl daemon-reload \cp -a contrib/redhat/sshd.init /etc/init.d/sshd \cp -a contrib/redhat/sshd.pam /etc/pam.d/sshd.pam chkconfig --add sshd systemctl enable sshd --now systemctl start sshd ssh -V